Patent application number | Description | Published |
20090288104 | EXTENSIBILITY FRAMEWORK OF A NETWORK ELEMENT - Techniques for providing extensibility framework for processing network packets are described herein. In one embodiment, in response to a packet received at a network element, the packet is processed using a generic process for performing a first type of operations required by the packet, wherein the first type of operations is common to a type of the packet. An extended process is invoked, via an extensibility application programming interface (API), to perform a custom operation that is not common to the generic process and is not statically known to the generic process, in order to determine whether the packet is eligible to access a resource of at least one of a plurality of application servers of a datacenter, including a layer-7 access control process. The network element operates as an application service gateway for the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
20090288135 | METHOD AND APPARATUS FOR BUILDING AND MANAGING POLICIES - Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
20090288136 | HIGHLY PARALLEL EVALUATION OF XACML POLICIES - Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described. | 11-19-2009 |
20130019277 | Zone-Based Firewall Policy Model for a Virtualized Data CenterAANM Chang; DavidAACI MilpitasAAST CAAACO USAAGP Chang; David Milpitas CA USAANM Patra; AbhijitAACI SaratogaAAST CAAACO USAAGP Patra; Abhijit Saratoga CA USAANM Bagepalli; NagarajAACI San JoseAAST CAAACO USAAGP Bagepalli; Nagaraj San Jose CA USAANM Sethuraghavan; Rajesh KumarAACI San JoseAAST CAAACO USAAGP Sethuraghavan; Rajesh Kumar San Jose CA US - Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed. | 01-17-2013 |
20130163606 | Architecture for Scalable Virtual Network Services - Techniques are provided to start a virtual service node that is configured to provide network traffic services for one or more virtual machines. The virtual service node has at least one associated service profile comprising identifiers for corresponding service policies for network traffic services. The service policies identified in the at least one associated service profile are retrieved. A virtual machine is started with an associated virtual interface and a port profile is applied to the virtual interface, including information identifying the service profile. Information is provided to the virtual service node that informs the virtual service node of network parameters and assigned service profile of the virtual machine. Network traffic associated with the virtual machine is intercepted and redirected to the virtual service node. A virtual service data path is provided that enables dynamic service binding, virtual machine mobility support, and virtual service node chaining and/or clustering. | 06-27-2013 |
20130268588 | Location-Aware Virtual Service Provisioning in a Hybrid Cloud Environment - A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines. | 10-10-2013 |
20130268799 | Automatically Scaled Network Overlay with Heuristic Monitoring in a Hybrid Cloud Environment - Techniques are provided for a management application in a first virtual network to start a first cloud gateway in the first virtual network. First messages are sent to a second virtual network, the first messages comprising information configured to start a second cloud gateway and a first virtual switch in the second virtual network. A connection is established between the first cloud gateway and the second cloud gateway, where the first cloud gateway, the second cloud gateway, and the first virtual switch form a first scalable cloud network element. One or more second messages are sent to the second virtual network, the one or more second messages comprising information configured to start a virtual machine and a first virtual machine interface configured to allow the virtual machine to access processing resources in the second virtual network. Data are stored that associates the virtual machine with the first virtual switch. | 10-10-2013 |
20130312056 | Zone-Based Firewall Policy Model for a Virtualized Data Center - Techniques are provided for implementing a zone-based firewall policy. At a virtual network device, information is defined and stored that represents a security management zone for a virtual firewall policy comprising one or more common attributes of applications associated with the security zone. Information representing a firewall rule for the security zone is defined and comprises first conditions for matching common attributes of applications associated with the security zone and an action to be performed on application traffic. Parameters associated with the application traffic are received that are associated with properly provisioned virtual machines. A determination is made whether the application traffic parameters satisfy the conditions of the firewall rule and in response to determining that the conditions are satisfied, the action is performed. | 11-21-2013 |